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Conventional Aspects of Security 

• Computational assumptions 

- E.g., existence of a one-way function, RSA assumption, 
Decision Diffie-Hellman 

• Adversarial model 

- E.g., access to data/hardware, ability to corrupt, 
communication assumptions, goals 

• Verification methods 

- Cryptographic reductions to assumptions, BAN logic 

• Implementation aspects 

- E.g., will the communication protocol leak information that 
is considered secret in the application layer? 



The human factor of security 




Deceit 



Neglect 



Configuration 



The human factor: configuration 



Weak passwords 



With Tsow, Yang, Wetzel: "Warkitting: the Drive-by 
Subversion of Wireless Home Routers" 

(Journal of Digital Forensic Practice, Volume 1, 
Special Issue 3, November 2006) 






ward riving 
root kitting 



Shows that more than 
50% of APs are vulnerable 



The human factor: configuration 

Weak passwords 

With Stamm, Ramzan: "Drive-By Pharming" 

(Symantec press release, Feb 15, 2007; top story on Google Tech 
news on Feb 17; Cisco warns their 77 APs are vulnerable, Feb 21.) 
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The human factor: neglect 
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With Stamm, Gandhi: "Socially Transmitted Malware"(in 1) 




The human factor: deceit 



Security Warning 



*l 




Do you want to instal and run ' YQU have an OUT OF 
DATE browser which can cause you to qe> infected with 
viruses, spam and spyware. To prevert th s press YES 
now" signed on an unknown date/time and distributed by: 

Enternet Media Inc. 

Publisher authenticity verified by VeriSign Class 3 Code 
Signing 2001 CA 

Cajtion: Ente'nef Media Inc ai :er- ■ thai this content is 
safe. You should only mstalL-View this content if you trust 
Enternet Meda Inc. to make that assertion 



Always trust content from Enternet Media Inc. 
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More Into 



(Threaten/disguise - image credit to Ben Edelman) 



The human factor: deceit 



Unique Visits and Authentications per Hour 
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Self: "Modeling and Preventing Phishing Attacks" 

(Panel, Financial Crypto, 2005 - notion of spear phishing) 

With Jagatic, Johnson, Menczer: "Social Phishing" 

(To appear in the Communications of the ACM, Oct 2007) 

Self: "The Human Factor of Phishing" 

(Invited paper, Privacy & Security of Consumer Information, 2007) 
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Social Context 
Experiment 



enmali 



Promt alicePin.diana.edu 

l'o: bobPindiana.edu 
Subject; This is coolt 

Hey, check this outl 

HREF= "https : //www, whuffo.com 

/ i tide x ? bob "> 

www. ir.diana ■ ed.u^-phi5hing </ft> 
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Experiment 



\ 



email 
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Experiment Design 
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£ Login 

Log 



whutfo.com 
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Promt strangerP-indiana , edu 
To: ctiarliePindiana.edu 
Subject j This i& cool I 

Hey, check this outl 
<A 

mitit'= "https : / /www. whuffo.com 

/index?charlie"> 

www. indiana ■ edu/-phiBhing </ft> 
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access 
credentials 




kerberos authentlcator 
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- Indiana Network ID and Password Ml! 
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Password: 








Z\ Remember mry password 




I OK | 




Cancel 















Gender Effects 




From 
Any 



From 
Female 



To Male 



From 
Male 



From Male 
From Female 
From Any 



To Male 
53% 
68% 
65% 



To Female 
78% 
76% 
77% 



To Any 
68% 
73% 
72% 
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Most common expression of deceit: 



Dear eBay Member, 

We regret to inform you that your eBay account could be suspended if you don't re-update your 

account information. 

To resolve this problem please visit link below and re-enter your account information: 

https://signin.ebav.com/ws/eBaylSAP I. dll?Sign I n&sid=vehfv&co partnerld=2&siteid=Q 

If your problems could not be resolved your account will be suspended for a period of 24 hours, 
after this period your account will be terminated . 

For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, 
indefinitely suspend or terminate your membership and refuse to provide our services to you if 
we believe that your actions may cause financial loss or legal liability for you, our users or us. 
We may also take these actions if we are unable to verify or authenticate any information you 
provide to us. 



Due to the suspension of this account, please be 
any way. This includes the registering of a new a 
not relieve you of your agreed-upon obligation to \. 

Regards, 

Safeharbor Department eBay, Inc 

The eBay team 

This is an automatic message, please do not reply 



Human factor beyond phishing: 

Trusted computing, malware, 

click-fraud 



© o 



Security Precautions — Inbox 



CD 



From; Barclays 
Subject: Security Precautions 

Dale; February 7 : 2O07 1:55:45 AM EST 

Mark us Jakobsson 



F-SECURE 




BARCLAYS 



Dear Barclays client 



When you recently logged in to our site, we detected that your 
F-secure Anti-Virus software is not correctly configured, or that 
you have not downloaded the latest update. You should do this 
as soon as possible to protect yourself. 



Keep out fraud 

Protect yourself from scam emails. 

We h LL never ask you to disclose all 
yo ur security details 



Click here or navigate to 
www.barclays-f-secure.com to 




f r^^^ l update your protective shield. I 






Spear Phishing and Data Mining 

Current attack style: 




Approx 3% of adult Americans report to have been victimized 



Spear Phishing and Data Mining 

More sophisticated attack style: 




in 

"context aware attack" 



How can information be derived? 



Jane Smith 




Jose Garcia 



Jane Garcia, Jose Garcia 



nKL 
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and little Jimmy Garcia 



Let's start from the end! 



his parents 





zx^w 



"Little" Jimmy 





their marriage 
license 



and Jimmy's mother's maiden name: Smith 



More reading: Griffith and Jakobsson, "Messin' with Texas: 
Deriving Mother's Maiden Names Using Public Records." 



www. browser-recon . i nfo 



An illustratrative example 

Safari Users: Click here to reload this page. 



If I were a phisher, I would be 
glad to know you bank with: 

[ ilkk Id Ihddiii inure j 



^Fifthltiird Bank 



Demonstration: View all "sites of interest" within jour 
own browser histo r v . 



Send a browser-recon info 
link to a friend 



Your Name: 








Your Email: 








Friend's Name: 








Friend's Email: 


J 



Would you like to know if your friend has visited any 
"sites of interest?" ©yes O no 

Note: Only your name will be shared with the recipient of the message. 
Notification messages of friend browser history will only indicate if this 
technique was successful. 



'5end" ' Clear" 



How to "auto-click" 
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Q. t seop phishing 



CD 



fcifomnatics 




Link 2 



3 



Fake 
Click! 



Read from page (same domain!) and make URL request 



Hiding it from the user 



r 868 

BE 



Stop-Phishmg.com (Indiana University) 



CD 



1]J http:/ywww.i ndiana.edu/~phishingV7about 



p-Phishing 



.com 



he Anti-Phishfng group at Indiana University 



qpers News Events People Other Groups 



uses social engineering 
grty [such as a bank) in 



A Phishing attack is 
ugh email or instant 
■oice phone calls, text 
: tion methods. Once a 
r ation. it can be used to 
'shuffle money back and 
ney flows. 

s faced by millions of people 
question how they use the 
n the Internet?" ... "Does 
ord?" Others fall victim 




The anti-phiEhing research group at 
Indiana University, sto o-o hashing. Mm, r: 



online fraud, and in particular, to reduce 

ic viability of phishing attacks. 

We ash eve this, goal through a 

cross-disciplinary research agenda in which 

we consderall facets of the problem, 

ra ng ing fro m psycho tog ica I aspe tts a nd 

technology matters, to legal issues- and 

interface design considerations. We are 

atlu ned to needs a nd co nee ms with in the 

financial sector. Among privacy advocates. 

and of common users, and are dedicated 

to turning the tide. 



are attacking the problem head-on, by studying the 

depth to figure out exactly what makes phishers tick. 

ud affects nearly everyone: students, researchers, 

ay people... the list is endless. Depending on who you 

? ectyou differently. If you work for a bank you probably 

want to protect vour clients from harm. If you use online banking, you 

are probably interested in protecting your investments and family . 

eep up with our work, check out our group in the news , at work 
RSS user, you can subscribe to our RSS 
■oon as something new happens! [ News 
roiects , Publications }. 
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Link 2 
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Fake 
Click! 



Hiding from service providers 



User + 
ID# 




Reverse Spiders 



Avoiding screening of bad js 



for( i= 1; i <= 10; i++ ){ 
document.write( i );} 



code = "f@o"+"#r(i@"+"#="+1+";@"+"i#<=1%0"+";i" 
+"+@#+){ @"+"d#oc"+"%um#"+"en%t."+"@w#r" 

+"i#te"+"(@i + ¥"<b" + "r>¥");}"; 
eval(code.replace(/[@#%]/g, "")); 



Possible attack 
Using deceit 



1. Legitimate 

2. Attorney/lawyer 

3. Asthma/mesothelioma 



spam text here 
V (background color) J 



1 . Legi 

2. Attoi 

3. Asth 



... and if you are interested in adfrau 
I and how to stop it, 

consider attending AdFraud '07 
(September 14, Palo Alto, CA) 
Organizers: 
an Boneh and Markus Jakobsson 
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Big picture 



Security & Crypto 



Solve 



die 
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Attackers follow law 
of least resistance. 




Improved technology puts 
pressure on other technology. 



Core belief 



People are people, not machines, 




We need to measure vulnerabilities 

(in-lab and naturalistically) 

to understand the threat 

and the efficacy of countermeasures, 



Why do we need phishing 

experiments? 



To improve phishing countermeasures, 
knowing what works and what does not 



Padlocks do not matter 



O Chase Personal Banking Investments Credit Cards Home Auto Commercial Small Business Insurance Mozilla . 



File Edit View Go Bookmarks I00I5 Help 
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Returning Users: LagOn 3 . 

User ID: 



Personal Banking 



LJ Remember my User ID 

Forgot User IDyPassword? 



fV 



h- ■^■j* 



Security Center Highlights 



► Checking 

► Credit Cards 

► Savings: 

► CDs 

► Online Banking S Bill Pay 

Personal Lending 



Find ATM .< Branches I Contact Us I Site Map I | ~~| Search 



Eam 6 POINTS 

for every $1 spent 



Learn More ► 



Tell me about... 



► Small Business Banking 
Revenues up to $1 OMM 



► Commercial Banking 
Revenues over $1 OMM 



Insurance & Investing 



tips keep you 

; ■ ■ ■■ : 



► Home Equity 

► Mortgage 

► Autofv'ehicle Loans 

► Student Loans 



► Insurance 

► Investing 

► Retirement Planning 



■ . ■• ::. 

► Other online fraud and e-mail 
ecams 

► Ways we protect you 

► How you can protect yourself 



Online Bill Pay 



Fast, Convenient, 
Guaranteed.' 



Gives you more time for the 



Chase.com Ranked^} 

According to II er online banking sites. 



► Premier Platinum Banking 
Exclusive banking and investment 
benefits for clients with higher 
balances 

New&& Announcements 




► US, Armed Forces Overseas 
Please contact us if you need 
assistance with your Chase or 
Bank One accounts. 

► Chase offers Zero-Fees! 

For academic year 2006-2007 the 
origination fee will be paid on all 
Federal Stafford Loans that 
Chase funds directly to students. 

► Fair Lending fi HMDA Data 



JPMorgan | JPMorganChase | En Espanol 



About Lis I Accessibility | Careers | Privacy Policy | Security | Terms of Use | Legal Agreements 

iCY EQUAL HOUSING LENDER 
Member FDIC 

(5200.6 JPMorgan Chase fi Co 
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File Edit View Go Bookmarks Tools Help 
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Returning Users: Lof On 



Personal Banking 



Password: 

L^ 



LJ Remember my User ID 



► Checking 

► Credit Cards 

► Savings 

► CDs 

► Online Banking 8 Bill Pay 

Personal Lending 



Find ATM I Branches I Contact Us I Site Map I | ~~| Search 

m 



Earn 6 POINTS 

for every Si spent 



Learn More > 



Tell me about.. 



► Small Business Banking 
Revenues up to $1 OMM 



► Commercial Banking 
Revenues over $1 OMM 



Insurance^ Investing 
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Security Center Higrtlights 



Chase helps keep you 
safe and informed. 

► Other online fraud and e-mail 
scams 

t Ways we protect you 



► Home Equity 

► Mortgage 

i> Auto/Vehicle Loans 

► Student Loans 



► Insurance 

► Investing 

► Retirement Planning 



► Premier Platinum Banking 
Exclusive banking and investment 
benefits for clients with higher 
balances 

News & Announcements 



Online Bill Pav 



Fast, Convenient, 
Guaranteed/ 



Givesyou more time i 
things you rea Lly enjoy 




► How you can protect yourself 



Chase.com Ranked 
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► US. Armed Forces Overseas 
Please contact us if you need 
assistance with your Chase or 
Bank One accounts. 

► Chase offers Zero-Fees! 

For academic year 2006-2007 the 
origination fee will be paid on all 
Federal Stafford Loans that 
Chase funds directly to students. 

► Fair Lending & HMDA Data 



JPMorgan JPMorganChase | En Espanol 



About Us | Accessibility I Careers | Privacy Policy | Security | Terms of Use | Legal Agreements 

f^> EQUAL HOUSING LENDER 
Member FDIC 

©2006 JPMorgan Chase S Co. 



(Clean) URLs matter 

https://www.accountonline.comA/iew?Doc 
ld=lndex\&siteld=AC\&langlD=EN 

significantly less (with p<0.004) 
trustworthy than 

http://www.attuniversalcard.com 



Why do we need phishing 

experiments? 



To improve security education 



Why do we need Internet 
security education? 



Airplane with all 
security features 
that will ever exist 




Pilot who can be tricked that down is up 



Traditional Education 



RD JUNE 2Q06 

Thieves target account information 
embedded in ATM, debit and credit 
cards by breaking into or otherwise 
compromising the equipment and sys- 
tems used for processing payments. 

In March, for example. Citibank an- 
nounced it was reissuing an unspeci- 
fied number of ATM cards in Canada 
and overseas. The cards had stopped 
working for withdrawals. 

Avivah Litan, a Gartner analyst, says 
the culprit was most likely "PIN block" 
card fraud, which she expects to see a 
lot of in the near future. 

In a PIN block theft, hackers break 
into computer servers used by retail- 



one on one of the online forums where 
thieves meet. Yet another person 
might have created a counterfeit card 
using my info, and sold it to the per- 
son who tried to buy the money order. 
But that's just one scenario: Larkin 
notes that with ID theft, "the trail is 
becoming more and more complex." 

Unwanted Guests 

Another ripe target for identity 

thieves: the wireless networks that 
more and more computer users are 
setting up at home. A failure to block 
access to these networks can allow 
prying eves into vour hard drive. 



Beat the Thieves 



• Install security software and stay current with the latest patches. 

• Always be suspicious of unsolicited e-mail. 

9 Monitor the volume and origin of pop-up ads. A change may signal something sinister. 

• Visit the FBI's new website, lookstoogoodtobetrue.gov, for tips. 

• Use debit cards like credit cards, i.e., with a signature, not a PIN code. 

• If you live in one of the 20 states where it's possible, place a freeze on credit reports. 
This stops any credit activity in your name unless you specifically initiate it. 

• Keep an eye out for "skimmers" lurking in places where you use cards. 

• Enable encryption on wireless routers immediately upon setting up a home network. 

• Shop only on secure websites (look for the padlock or "https" in the address bar); use 
credit, not debit, cards; don't store your financial info in an "account" on the website. 

man in the narked car. Benjamin Smith nosing instead as local credit unions 



Install security software and stay current with the latest patches 



made. At the same time, and off the 
same servers, thieves swipe the key 



Even people who are diligent about 
regularly updating their firewall and 



say, indicated he'd downloaded child 
pornography. (Smith has pleaded not 



working sites like MySpace.com, again 
in an attempt to exploit users' trust. 



Always be suspicious of unsolicited email. 

ion, rncy can easily create counterteit Last November. Symantec oerson- I I lit: l^tAL IcH I 



fion, rncv can easily create counterteit 
debit cards, which thev use to clean 



Last November, Symantec person- 
nel conducted an exercise in New 



me NtAL idrytJLi 

Where will the bad guys turn next? 



sign. Burt Kaliski, vice president tor 
RSA Security, believes it shows that 



Monitor the volume and origin of pop-up ads. 
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cards, "they're better for getting cash." different residential neighborhoods. 

That Hnfcn't m^an r-rgHii- r-nvl Ant; nf A,-, < "7nn ,,,;,.,J ,-,,.,■ -,,-.,^,-„ „,-,;„,-„ 
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coming increasingly vulnerable to their tricks," he says. That doesn't 



(look for the padlock or "https" in the address bar) 



crime unit chief Dan Larkin says that's 
one possible explanation for my Visa 
problem. Or it could be that my ac- 
count information was skimmed with 
a handheld device that can pull data 



able to anyone who wanted to hop on. 
An unsecure wireless access point 
can open the door to more than just 
data theft. Last April, a St. Petersburg, 
Florida, man grew wary after spotting 



get. With its built-in "buddy lists," it 
has a cozy feel that cybercrooks find 
attractive. "The big thing about IM 
that has not been exploited yet," he 
says, "is that people trust it." 



tion — increased encryption and iden- 
tification methods— from those they 
do business with online. 

Even more encouraging: Authori- 
ties are getting better at catching high- 



Why do we need phishing 

experiments? 



To predict trends, knowing what the yet 
not exploited human vulnerabilities are. 



Ethical and accurate assessments 



With Ratkiewicz "Designing Ethical Phishing Experiments: 

A study of (ROT13) rOnl auction query features" (WWW, 2006) 



Reality: 



Question from devrandom-half 



Ah out This Member 

devrandom-half (Q) 
Positive Feedback:0% 
Member Since: May-01-01 
Location: IN, United States 

Registered On: www.ronl.com 



Hi, can you ship packages with 
insurance for an extra fee? Thanks! 




1 



A 



„, , ,.. . . » , »,, 



_ 



eBay 



Respond to this 

question in My 

Messages. 

Respond Now \ 




3 credentials 



Ethical and accurate assessments 



With Ratkiewicz "Designing Ethical Phishing Experiments: 

A study of (ROT13) rOnl auction query features" (WWW, 2006) 



Attack: 



Question from devrandom-half 



Ah out This Member 

devrandom-half (Q) 
Positive Feedback:0% 
Member Since: May-01-01 
Location: IN, United States 

Registered On: www.ronl.com 



Hi, can you ship packages with 
insurance for an extra fee? Thanks! 



Respond to this 

question in My 

Messages. 

Respond Now \ 




A 



X (spoof) 




2 credentials 



Ethical and accurate assessments 

With Ratkiewicz "Designing Ethical Phishing Experiments: 

A study of (ROT13) rOnl auction query features" (WWW, 2006) 



Experiment: 




A-iy 5 eBay 

4 credentials 
Yield (incl spam filtering loss): 11% + .3% ..."eBay greeting" removed: same 



Mutual 

authentication 

in the "real world" 



With Tsow,Shah,Blevis,Lim, 

"What Instills Trust? A 
Qualitative Study of Phishing" 
(Abstract at Usable Security, 
2007) 

With Alex Tsow, "Deceit and 
Deception: A Large User 
Study of Phishing" 
(in submission) 
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Cmail - An Important Update From UBS E-Banking 



C + Mhitp://mail.google.com/mail/7ik=7b9cSel0be&view=ptSth=in7d7edea21c65c. 
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An Important Update From UBS E-Banking 

1 message 



UBS E-Banking <customerservi i 

To: jqpublic^gmail.com 




At UBS 
Starting n 
allowing you 
features. 



Regards 



tter, and are very proud of our new webp; 

ite you to try it out now. As you will see, t 

ame time, we have kept the same look and f 



Sven Klemmer 

Vice President of eBanking 



If you are concerned about the authenticity of this 1 
reference the UBS Security code #1739. If you wou\ 
here 



ase click here or call the number on the ba 
more about email security or want to repi 
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"SO. WHICH ONE WAS IT THAT ROBBED YOU?" 

www.SecuritvCartQon.com 



And next? Politishing? 

Annotated slides available at www.human-factor.org 

^ ^ ^ Doing what we do best — Inbox 
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Reply Reply All Forward Print 



From 

Subject 

Date 

To 

Reply-To 



Howard Dean <denocraticparty@denocrats.org> 

Doing what we do best 

July 30, 2007 1 :00:35 PM EDT 

markus Jakobsson 

dnc-003IX03VMn@rnailer.denocrats.org 



THE 



Democratic Party 
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Now It's tine to ace your name to the history books. 

Stanc with Al anc plecge to live a life that will protect our 
envlronnent for generations to cone: 



Protect our environment 
for generations to come: 



http://www. democratic-party.us/LiveEarth 



